SOLVED
Home

Add/Remove External Guest User from SP Site behavour in Azure/365

%3CLINGO-SUB%20id%3D%22lingo-sub-1096405%22%20slang%3D%22en-US%22%3EAdd%2FRemove%20External%20Guest%20User%20from%20SP%20Site%20behavour%20in%20Azure%2F365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096405%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdding%20external%20%22User1%22%20from%20within%20SP%20(Sharing%20Site)%20creates%20guest%20%22User1%22%20in%20Azure%20and%20365Admin%20consoles.%3C%2FP%3E%3CP%3ERemoving%20same%20external%20User1%20from%20SP%20does%20not%20remove%20guest%20user1%20in%20Azure%20and%20365Admin%20consoles.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ1.%20Is%20this%20by%20design%3F%20That%20User1%20can%20be%20'auto'%20added%20to%20Azure(AD)%20from%20SP%20but%20not%20correspondingly%20removed%20from%20Azure(AD)%20when%20removed%20from%20SP%20site.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ.2%20Is%20there%20a%20way%20to%20change%20this%20behaviour%3F%20As%20otherwise%20Azure(AD)%20is%20going%20to%20fill%20up%20with%20Guest%20Users%2C%20who%20although%20removed%20from%20a%20SP%20site%20are%20still%20available%20(presumably%3F)%20to%20be%20accidentally%20added%20by%20another%20Member%20User%20(with%20add%20guest%20user%20permissions)%20to%20say%20a%20OneDrive%20file%20or%20other%20feature.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1096405%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1097213%22%20slang%3D%22en-US%22%3ERe%3A%20Add%2FRemove%20External%20Guest%20User%20from%20SP%20Site%20behavour%20in%20Azure%2F365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1097213%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F510255%22%20target%3D%22_blank%22%3E%40T11EJD%3C%2FA%3E%26nbsp%3B!%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20answer%20your%20questions%20below%20(A1%20for%20Q1%20and%20A2%20for%20Q2)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA1%3A%20Yes%20this%20is%20by%20design.%20When%20you%20invite%20an%20external%20user%20to%20a%20Sharepoint%20file%20or%20folder%2C%20a%20guest%20account%20in%20your%20companies%20Azure%20AD%20needs%20to%20be%20created.%20This%20is%20to%20make%20sure%20that%20the%20guest%20users%20are%20authenticated%20and%20get%20any%20security%20(%20Conditional%20access%20)%20policies%20for%20example.%26nbsp%3B%3CBR%20%2F%3EThis%20is%20the%20same%20behavior%20as%20inviting%20an%20external%20user%20to%20Teams.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA2%3A%20No%2C%20as%20long%20as%20external%20users%20need%20to%20athenticate%20then%20they%20will%20need%20to%20have%20a%20guest%20account.%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20however%20share%20a%20document%20with%20an%20anonymous%20link%2C%20then%20they%20dont%20need%20a%20guest%20account.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAutomaitcally%20removing%20guest%20users%20when%20removed%20from%20a%20sharepoint%20site%20could%20be%20troublesome.%20Imagine%20if%20that%20guest%20user%20was%20a%20member%20of%203%20different%20sites%2C%20that%20would%20mean%20they%20would%20loose%20access%20to%20all%203%20sites.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGuest%20users%20in%20Azure%20AD%20is%20not%20a%20problem%2C%20just%20make%20sure%2C%20like%20with%20any%20users%2C%20that%20you%20do%20an%20audit%20of%20what%20users%20you%20have%20and%20what%20users%20you%20can%20terminate.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20this%20answered%20your%20questions!%26nbsp%3B%3CBR%20%2F%3ELet%20me%20know%20if%20you%20have%20further%20questions%20or%20if%20my%20replies%20are%20unclear!%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20Regards%3CBR%20%2F%3EOliwer%20Sj%C3%B6berg%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098266%22%20slang%3D%22en-US%22%3ERe%3A%20Add%2FRemove%20External%20Guest%20User%20from%20SP%20Site%20behavour%20in%20Azure%2F365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098266%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20have%20features%20such%20as%20Access%20Reviews%20and%20the%20recently%20released%20Entitlement%20management%20to%20address%20%232.%20In%20particular%2C%20Entitlement%20management%20can%20be%20used%20to%20govern%20the%20whole%20process%2C%20from%20adding%20an%20external%20user%20to%20the%20directory%2C%20granting%20him%20access%20to%20SPO%2C%20removing%20access%2C%20removing%20the%20user%20altogether.%20But%20it%20requires%20Azure%20AD%20P2%20licenses.%20Here's%20the%20documentation%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fgovernance%2Fentitlement-management-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fgovernance%2Fentitlement-management-overview%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
T11EJD
Occasional Contributor

Hi,

 

Adding external "User1" from within SP (Sharing Site) creates guest "User1" in Azure and 365Admin consoles.

Removing same external User1 from SP does not remove guest user1 in Azure and 365Admin consoles.

 

Q1. Is this by design? That User1 can be 'auto' added to Azure(AD) from SP but not correspondingly removed from Azure(AD) when removed from SP site.

 

Q.2 Is there a way to change this behaviour? As otherwise Azure(AD) is going to fill up with Guest Users, who although removed from a SP site are still available (presumably?) to be accidentally added by another Member User (with add guest user permissions) to say a OneDrive file or other feature.

 

Thank you

2 Replies
Highlighted
Solution

Hello@T11EJD ! 

I will answer your questions below (A1 for Q1 and A2 for Q2)

 

A1: Yes this is by design. When you invite an external user to a Sharepoint file or folder, a guest account in your companies Azure AD needs to be created. This is to make sure that the guest users are authenticated and get any security ( Conditional access ) policies for example. 
This is the same behavior as inviting an external user to Teams. 

 

A2: No, as long as external users need to athenticate then they will need to have a guest account. 

If you however share a document with an anonymous link, then they dont need a guest account. 

 

Automaitcally removing guest users when removed from a sharepoint site could be troublesome. Imagine if that guest user was a member of 3 different sites, that would mean they would loose access to all 3 sites. 

 

Guest users in Azure AD is not a problem, just make sure, like with any users, that you do an audit of what users you have and what users you can terminate. 

 

I hope this answered your questions! 
Let me know if you have further questions or if my replies are unclear! 

Kind Regards
Oliwer Sjöberg

Highlighted

You have features such as Access Reviews and the recently released Entitlement management to address #2. In particular, Entitlement management can be used to govern the whole process, from adding an external user to the directory, granting him access to SPO, removing access, removing the user altogether. But it requires Azure AD P2 licenses. Here's the documentation: https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview

Related Conversations
Get the user role from Azure AD by Laravel azure ad oauth
Arulraj123 in Azure on
0 Replies
Microsoft Developer Virtual Conference
Jenn Jinhong in Community Events List on
0 Replies
Technine - March Updates on Technlogy
Thomas_Collier in Community Events List on
0 Replies
Create a tenant in Windows Virtual Desktop
julian3216 in Azure on
6 Replies
Azure Storage vs SharePoint Document Library
telecaster in Azure on
0 Replies